Policy

The Sophos
Web Appliance provides security
and control for your users’ web browsing by preventing the loading of viruses, Trojans, worms,
other malware, and potentially unwanted applications (PUAs).

The Web Appliance does this by using site
lists. Sophos provides a basic
and an enhanced list of URLs—the Sophos Basic Categorization Data and
the Sophos Enhanced
Categorization Data—each of which assigns a risk classification (high, medium, low, or
trusted) and a site category (business, education, sports, gambling, illegal drugs, weapons,
etc) to the listed URLs.

You can extend these Sophos
lists, or override the risk classification or the site category of the URLs by adding custom
entries. In addition to URLs, you can set whether requests for various downloadable file types
are allowed, warned, or blocked. "Block" or "warn" pages are displayed in response to
inappropriate user requests, and you can give users the ability to ask for a reclassification
or re-categorization of the site. The message that users see on these pages can also be
modified.

Default actions are as follows:

Content from sites classified as being high-risk is always blocked

Content from low-risk sites is always scanned

Content from trusted sites is always allowed

Additionally, you can set whether content from medium-risk sites is blocked or scanned and
whether content from unclassified sites is handled in the same way as content from low,
medium, or high-risk sites.

HTTPS

This security protection can be extended to HTTPS (encrypted) sites, which can also contain
security threats. You configure your Web Appliance to handle certificate validation,
thus deciding for your users about which HTTPS sites to trust.

HTTPS Scanning

To provide secure sessions between your users and commercial or banking sites, HTTPS can
encrypt web content between the website server and the user’s browser. To scan encrypted
content for malware, it must first be decrypted, then scanned, then re-encrypted for
delivery to the requesting end user’s browser. Doing this maintains the privacy of the
encrypted content, as the process takes place automatically without human eyes viewing the
content.

Active Directory

The Web Appliance allows you to view
lists of user groups imported from your organization’s Active Directory server and define
custom groups. On this page, you either apply the default policy to a select list of groups,
or you apply the default policy to all groups except those in the select list.

Acceptable Use Policies

The Web Appliance protects your
organization and your users from visiting sites that violate your organization’s browsing
policy, including sites that violate inappropriate browsing legislation. Site categories can
also be used to provide productivity control by disallowing access to entertainment sites
and other diversions.

Custom Policies

You can define a Special Hours policy, consisting of modified access settings that will
apply to the same set of users as the default policy, but that provides, for example, a more
relaxed web browsing policy during the lunch hour and after business hours.

You can also create as many as 80 Additional Policies, overriding the default policy and
the Special Hours policy. These can be applied to select users or groups and can also be set
to take effect only during a scheduled period. Additional policies can be turned on and off
as required, and they can be set to automatically deactivate at a specified date and
time.

Applying tags lets you set policy rules more simply and flexibly than is possible by using
other policy features. You can use the Local Site List to apply one or more tags to a URL.
With Additional Policies, you can set what action is taken in response to a tag.

Dynamic Categorization

Sophos provides the ability
to block attempts by your users to evade policy controls through anonymizing proxies and
caching websites by automatically detecting such sites with the Dynamic Categorization
feature.

Data Leakage Prevention

You can secure your users against leaking vital data through web use by using the Data
Leakage Prevention features to selectively block them from sending webmail messages and
posting on blogs.